Summary of and Links to Guidance on COVID-19 HIPAA Waivers and Enforcement Discretion

Nelson Mullins Riley & Scarborough LLP
Contact

Nelson Mullins Riley & Scarborough LLP

For the first 72 hours after a hospital institutes its disaster protocol for the COVID-19 emergency, HIPAA sanctions and penalties will be waived for:

  • Failure to obtain a patient’s agreement to speak with family/friends involved in the patient’s care
  • Failure to honor a request to opt out of the facility directory
  • Failure to distribute a Notice of Privacy Practices
  • Failure to permit patients to request privacy restrictions or to comply with requested restrictions
  • Failure to permit patients to request confidential communications  or to comply with requested restrictions

For the duration of the COVID-19 emergency and until OCR issues a notice that it is no longer exercising enforcement discretion, HIPAA sanctions and penalties will be waived for:

  • The good faith provision of telehealth for any patient condition using non-public facing video chat applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype.[i] 
    • OCR encourages providers to (1) notify patients that these third-party applications potentially introduce privacy risks, and (2) enable all available encryption and privacy modes when using such applications.
    • Public facing remote communication products such as Facebook Live, Twitch, and TikTok, or chat rooms like Slack, should not be used in the provision of telehealth by covered health care providers.
    • Examples of “bad faith” provision of telehealth services where HIPAA violations would not be waived include:
      • Conduct/furtherance of a criminal act, e.g. fraud, identity theft, or intentional invasion of privacy
      • Impermissible uses/disclosures of PHI obtained through telehealth visit (e.g., sale of PHI, marketing without authorization)
      • Violation of state licensing laws/professional ethical standards in provision of telehealth services 
  • The failure to have a BAA in place with vendors of such applications.
  • A business associate’s[ii]  use and disclosure of PHI to public health and emergency oversight authorities, or its performance of data analytics using PHI for disclosure to such officials, where its business associate agreements with covered entities do not specifically permit such uses and disclosures, if the business associate:
    • Makes the use or disclosure in good faith for purposes of public health or health oversight activities as described in the Privacy Rule; 
    • Informs the covered entity or covered entities within 10 days after the use or disclosure occurs or commences; and
    • Complies with other applicable HIPAA requirements, including securely transmitting the PHI to the applicable authorities.

HHS and OCR emphasize in all of these guidance documents that except where required by law or for treatment disclosures, entities must make reasonable efforts to adhere to the minimum necessary standard.

HHS and OCR also offer guidance on permissible releases of PHI to:

  • Family members and friends
  • The media
  • Emergency responders
  • Public health officials
  • Disaster relief organizations
  • Correctional institutions and law enforcement
  • Persons available to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety

https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf

https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf 

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf

https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf 

https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf 


[i] OCR mentions that texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage also are secure, but these applications presumably can’t be used for telehealth with the possible exception of store-and-forward visits (e.g., picture of rash).

[ii] OCR notes that it also will refrain from exercising enforcement discretion against covered entities under these circumstances.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nelson Mullins Riley & Scarborough LLP | Attorney Advertising

Written by:

Nelson Mullins Riley & Scarborough LLP
Contact
more
less

Nelson Mullins Riley & Scarborough LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.